DotNetNuke DNN Spam Registrations Problem Fixed

DotNetNuke DNN Sites getting spam registrations – How to stop them

In recent weeks, many of our DNN websites have systematically been targeted for Spam New User Registrations. There has been some discussion around the how and why, and as much as we can tell, the problem is this:

1. Some script kiddy has bothered to write a bot that finds DNN websites. It is not even a good bot, because it is not capable of validating registrations to automated active email addresses. (If you are the creator of the bot… “YOU ARE DOING IT WRONG” as it is not going to bring the Google results you are looking for.)

2. The bot will attempt access to: www.yoursite.com /?ctl=Register

3. This brings into play the default DNN registration process module.

4. This page is currently available if your site has either Public or Verified registrations enabled.

5. Tricks on derating the bot by raising the password complexity appeared to work a short time only.

6. Enabling the inbuilt Captcha is as good as useless, as almost any OCR application can break it.

7. A better simple solution is needed.

ReCaptcha is the FIX that is working well

Here at InteractiveWebs, we decided that we would enable Recapcha (a cleaver Google Initiative https://www.google.com/recaptcha/ ) that is harder to be machine broken, and test the results. We found that all the spam registrations stopped once Recaptcha was used.

To do this we created two Free DNN Modules to add Recaptcha to the URL that this bot is using to register on sites. The two modules are to support DNN 6.2 + and 7x +.

Once installed, you need to add the module to a page as you would any other. We recommend adding it to it’s own page in the DNN Admin menu, and keeping the page Admin Only.

Step 5 – Configure the iWebs Register Module.

The module you are looking for is called: iWeb’s – Register – You can select the Settings from the module drop down as you would any other DNN module.

Enter the Public Key and Private Keu information that you received from your Google Recaptcha registration of your domain. THEN SELECT UPDATE to save the information.

Step 6 – Install the Register Control

After saving your public and private keys by clicking “update” you are ready to:

Click on the “Install Register Control”

This will inject the recaptcha setting into your website. So when you hit any registration URL (www.yoursite.com /?ctl=Register) you now get the recaptcah box.

Update to V2 of Recaptcha

Google has released what they call V2 of Recaptcha. We have update the module to support this. The process of updating to V2 goes like this.

1. By default, previously created recaptcha keys are V1. Any updated installs of our module will need to be put into V1 mode (in the settings) to keep working with your V1 keys that you have previously configured into the module. So after updating our module to the latest release, go into the module settings and enable V1 mode for the module to keep working.

2. V2 recaptcha is better than V1. So we would suggest that all users of the module update to V2. To do this, you update our module to the latest release, then go into the Google Recaptcha management page, and delete your domains security keys, then generate new keys for V2. They have instructions on that process, all be is hard to understand.

Once you have new V2 recaptcha keys, you update these new keys back into our module and ensure that the V1 mode is NOT enabled. The V2 recaptcha will then run on your site.

To Remove and Uninstall

2. Uninstall the iwebs – Register module as you would any other DNN module.

Thoughts

This was a quick solution to some script kiddies attempt to attack DNN. I’m actually struggling to find the purpose (if you wrote the bot and you are reading this, I would love to hear why). There is little threat by the registrations that I can find. More annoying that anything else. While Recaptcah can be broken, it would take some smarts or costs to use online services for the bot, so I suspect they will not bother and recaptcha will reign for this problem. In any case, if they spend some time and effort making the bot work for recaptcah, it is easy enough for us to implement some of the loads of other solutions available to stop them.

Donations

We included a donation button. If you find the solution, blog, research we did, modules we created and responses we provide to be helpful. Please consider throwing us a few $

122 Replies to “DotNetNuke DNN Spam Registrations Problem Fixed”

We really appreciate your recaptcha solution for DNN! We have been using version 2 on DNN 7.4.2 for over a year and it has been terrific. However, upon updating our site to DNN 8.0.4 and installing your latest version for DNN 8, we are now getting an error: “Incorrect Security Code” upon clicking the Register button. Your module is working on DNN 8.0.4 on my development p.c., IIS 10, but the error appears on DNN 8.04 on our server IIS 8.5. I don’t know if IIS version makes a difference. We have a real need to upgrade the live system to 8.0.4, but cannot proceed with the Recaptcha throwing this error. Any help or advice you can provide would be greatly appreciated! I am available to provide information and feedback to help solve this issue. Thank you, Shawn Cohan, President All Squared Web Design, LLC
NOTE: The url below is a live test version our ecommerce site.

Appears that we found a relationship between the tls level, the target framework defined in the web.config and V2 reCaptcha. This may relate only to our specific production server, which may suggest there are other factors involved, or it may be more widespread and occurring on other servers. If the latter we would appreciate some feedback from others. We tested the module on DNN 8.0.4 and DNN 9.1.1. Our server runs under tls 1.2. The DNN installs operate under a target framework of 4.5 for 8 and 4.6 for 9. When we reverted to tls 1.0, 1.1 the reCaptcha worked. When we went back to tls 1.2 and changed the target framework to 4.6 or higher the reCaptcha worked. On another server running 1.2 and target framework 4.5 the reCaptcha also worked. So we are not sure if there are other factors, unknown to us, affecting the module and reCaptcha operation. We felt obligated to report what we found hoping that it might assist iWebs and others with a similar experience. If you have any additional insight regarding tls and the target framework and whether our results were coincidental to a solution or that it is a definite factor we would appreciate some feedback.

Don’t mean to belabor this; however, thought it might be important for those running .Net, especially with DNN sites. The following information was supplied by our hosting service:
We found that the issue was being caused by the website still trying to issue a TLS 1.1 connection to the Google ReCaptcha V2 which requires a TLS 1.2 connection. This was being caused by the application targeting .Net Framework 4.5 which defaults to using TLS 1.1 connections. Since your virtual server was already updated security wise to disable all secure connection except for TLS 1.2, this caused the error.
The solution was found to be adjusting the affected websites to target .Net Framework 4.6 or higher as they should default to using TLS 1.2 connections automatically. It seems your virtual server has .Net Framework 4.7 available so that is framework version we targeted in your applications and that seemed to resolve the issue. If you run into this on other installations you should be able to resolve it by adjusting their web.config files to target .Net Framework 4.7.